{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5329", "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7", "state": "PUBLISHED", "assignerShortName": "rapid7", "dateReserved": "2026-04-01T13:33:23.515Z", "datePublished": "2026-04-09T17:52:05.885Z", "dateUpdated": "2026-04-10T03:56:08.816Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9974b330-7714-4307-a722-5648477acda7", "shortName": "rapid7", "dateUpdated": "2026-04-09T17:52:05.885Z"}, "title": "Rapid7 Velociraptor Improper Input Validation in Client Message Handler", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-20", "description": "CWE-20 Improper input validation", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-240", "descriptions": [{"lang": "en", "value": "CAPEC-240 Resource Injection"}]}], "affected": [{"vendor": "Rapid7", "product": "Velociraptor", "platforms": ["Linux"], "repo": "https://github.com/Velocidex/velociraptor", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "0.76.1", "versionType": "semver"}, {"status": "affected", "version": "0", "lessThanOrEqual": "0.75.6", "versionType": "semver"}, {"status": "affected", "version": "0", "lessThanOrEqual": "0.74.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Rapid7 Velociraptor versions prior to 0.76.2\u00a0contain an improper input validation vulnerability in the client monitoring message handler on the Velociraptor server (primarily Linux) that allows an authenticated remote attacker to write to arbitrary internal server queues via a crafted monitoring message with a malicious queue name. The server handler that receives client monitoring messages\u00a0does not sufficiently validate the queue name supplied by the client, allowing a rogue client to write arbitrary messages to privileged internal queues. This may lead to remote code execution on the Velociraptor server. Rapid7 Hosted Velociraptor instances are not affected by this vulnerability.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Rapid7 Velociraptor versions prior to 0.76.2 contain an improper input validation vulnerability in the client monitoring message handler on the Velociraptor server (primarily Linux) that allows an authenticated remote attacker to write to arbitrary internal server queues via a crafted monitoring message with a malicious queue name. The server handler that receives client monitoring messages does not sufficiently validate the queue name supplied by the client, allowing a rogue client to write arbitrary messages to privileged internal queues. This may lead to remote code execution on the Velociraptor server. Rapid7 Hosted Velociraptor instances are not affected by this vulnerability."}]}], "references": [{"url": "https://docs.velociraptor.app/announcements/advisories/cve-2026-5329/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 8.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"}}], "credits": [{"lang": "en", "value": "We thank Chris Au (@netero_1010) from NyxLab for identifying and reporting this issue.", "type": "reporter"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-5329"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T03:56:08.816Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5329", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-09T18:58:41.038480Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T18:58:49.938Z"}}], "cna": {"title": "Rapid7 Velociraptor Improper Input Validation in Client Message Handler", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "We thank Chris Au (@netero_1010) from NyxLab for identifying and reporting this issue."}], "impacts": [{"capecId": "CAPEC-240", "descriptions": [{"lang": "en", "value": "CAPEC-240 Resource Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/Velocidex/velociraptor", "vendor": "Rapid7", "product": "Velociraptor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.76.1"}, {"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.75.6"}, {"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.74.6"}], "platforms": ["Linux"], "defaultStatus": "unaffected"}], "references": [{"url": "https://docs.velociraptor.app/announcements/advisories/cve-2026-5329/"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Rapid7 Velociraptor versions prior to 0.76.2\u00a0contain an improper input validation vulnerability in the client monitoring message handler on the Velociraptor server (primarily Linux) that allows an authenticated remote attacker to write to arbitrary internal server queues via a crafted monitoring message with a malicious queue name. The server handler that receives client monitoring messages\u00a0does not sufficiently validate the queue name supplied by the client, allowing a rogue client to write arbitrary messages to privileged internal queues. This may lead to remote code execution on the Velociraptor server. Rapid7 Hosted Velociraptor instances are not affected by this vulnerability.", "supportingMedia": [{"type": "text/html", "value": "Rapid7 Velociraptor versions prior to 0.76.2 contain an improper input validation vulnerability in the client monitoring message handler on the Velociraptor server (primarily Linux) that allows an authenticated remote attacker to write to arbitrary internal server queues via a crafted monitoring message with a malicious queue name. The server handler that receives client monitoring messages does not sufficiently validate the queue name supplied by the client, allowing a rogue client to write arbitrary messages to privileged internal queues. This may lead to remote code execution on the Velociraptor server. Rapid7 Hosted Velociraptor instances are not affected by this vulnerability.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper input validation"}]}], "providerMetadata": {"orgId": "9974b330-7714-4307-a722-5648477acda7", "shortName": "rapid7", "dateUpdated": "2026-04-09T17:52:05.885Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5329", "state": "PUBLISHED", "dateUpdated": "2026-04-10T03:56:08.816Z", "dateReserved": "2026-04-01T13:33:23.515Z", "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7", "datePublished": "2026-04-09T17:52:05.885Z", "assignerShortName": "rapid7"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Rapid7 Velociraptor versions prior to 0.76.2\u00a0contain an improper input validation vulnerability in the client monitoring message handler on the Velociraptor server (primarily Linux) that allows an authenticated remote attacker to write to arbitrary internal server queues via a crafted monitoring message with a malicious queue name. The server handler that receives client monitoring messages\u00a0does not sufficiently validate the queue name supplied by the client, allowing a rogue client to write arbitrary messages to privileged internal queues. This may lead to remote code execution on the Velociraptor server. Rapid7 Hosted Velociraptor instances are not affected by this vulnerability."}], "id": "CVE-2026-5329", "lastModified": "2026-04-09T18:17:04.253", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 6.0, "source": "cve@rapid7.com", "type": "Secondary"}]}, "published": "2026-04-09T18:17:04.253", "references": [{"source": "cve@rapid7.com", "url": "https://docs.velociraptor.app/announcements/advisories/cve-2026-5329/"}], "sourceIdentifier": "cve@rapid7.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "cve@rapid7.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.76.1]"}}, {"platform": ["linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.75.6]"}}, {"platform": ["linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.74.6]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Velociraptor", "source": "cna", "vendor": "Rapid7"}, "product": "velociraptor", "vendor": "rapid7"}], "analysis": {"en": {"generated_at": "2026-04-09T19:21:11.395391+00:00", "value": {"mitigation_remediation": ["Upgrade Rapid7 Velociraptor to version 0.76.2 or later.", "Confirm that the installed version is no longer affected by performing a version check or consulting the release notes.", "If an upgrade is not immediately possible, isolate the Velociraptor server from untrusted networks or restrict client access to trusted IP ranges.", "Review and audit client authentication policies to ensure only authorized clients can connect to the server\u2019s monitoring interface.", "Monitor the server\u2019s internal queue activity for anomalous messages or failed authentication attempts to detect potential exploitation attempts."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected products are Rapid7 Velociraptor installations running on Linux. All instances using a version prior to 0.76.2 are vulnerable. Rapid7 Hosted Velociraptor services are not impacted. The vulnerability only applies to server configurations that allow authenticated client monitoring connections.", "description_and_impact": "Rapid7 Velociraptor versions earlier than 0.76.2 on Linux servers contain an improper validation error in the client monitoring message handler. A client that is authenticated to the Velociraptor server can send a monitoring message with a malicious queue name. The server does not enforce a proper whitelist or length check, allowing the rogue client to inject a crafted request that writes arbitrary messages to privileged internal queues. The attacker can then potentially execute arbitrary code on the Velociraptor server. The vulnerability falls under CWE\u201120, reflecting an insecure input validation weakness.", "risk_and_exploitability": "The CVSS score of 8.5 indicates high severity. EPSS is not available, and the vulnerability is not yet listed in CISA\u2019s KEV catalog. The attack requires authenticated access to the client monitoring interface, meaning that only users or automated processes with legitimate credentials can exploit the flaw. Once the attacker can write to privileged queues, they may achieve remote code execution, compromising confidentiality, integrity, and availability of the Velociraptor server. As the flaw is exploitable via network traffic, the range of impact can extend to all services that rely on the compromised server."}}}}, "created": "2026-04-10T08:52:40.500372+00:00", "updated": "2026-04-10T09:31:50.284958+00:00", "vendors": ["rapid7", "rapid7$PRODUCT$velociraptor"]}